[arin-ppml] ARIN discontinuing DNSSEC capability to legacy holders
Paul Ebersman
list-arin-ppml at dragon.net
Sat Oct 6 02:36:51 EDT 2018
rfg> 1) I confess that I know virtually nothing about DNSSEC. I do
rfg> know one thing however, which is that there's such a thing,
rfg> in the world of domain names, as a "self signed" SSL
rfg> certificate.
DNSSEC follows a chain of trust from the root or trust anchor through
the whole chain. If the parent doesn't sign, it won't valiate. So no, no
equivalent of self-signed SSL certs
And the benefit isn't just to the owner of the prefix. As several folks
have said, if I want to know something about the in-addr zone data,
DNSSEC signing has value to anyone doing DNSSEC validation, not just the
zone or prefix owner. There is value to the entire internet in the whole
in-addr tree being signed at some point.
More information about the ARIN-PPML
mailing list